Guest Access in SMB2 disabled on 1709 version of Windows 10 and Windows Server 2016

When you try to access to a consumer or old NAS with your brand new Windows 10 Fall Creators Update you will face a network access error.
Due to security issue in SMB protocol, the new Windows 10 and Windows Server 2016 release 1709 start with some SMB feature disabled by default:

  • SMBv1 not installed (enable it with Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol)
  • SMBv2 Guest Access disabled

As Microsoft state:
In Windows 10 Fall Creators Update and Windows Server version 1709, the SMB2 client no longer allows the following actions:

  • Guest account access to a remote server
  • Fallback to the Guest account after invalid credentials are provided

SMBv2 has the following behavior in Windows 10 Fall Creators Update and Windows Server 2016 version 1709:

  • Windows 10 Enterprise and Windows 10 Education no longer allow a user to connect to a remote share by using guest credentials by default, even if the remote server requests guest credentials.
  • Windows Server 2016 Datacenter and Standard edition no longer allow a user to connect to a remote share by using guest credentials by default, even if the remote server requests guest credentials.
  • Windows 10 Home and Professional editions are unchanged from their previous default behavior.

This security settings, though are appreciate in modern enterprise enviroments, sometimes could raise issues on oldest NAS that share folders with SMBv1 protocol and allow unauthenticated access.
In this case you will receive a network error.
To change this behavior you could set a specific Computer Group Policy:

"Computer Configuration\Administrative Templates\Network\Lanman Workstation"
"Enable insecure guest logons"
Enable insicure guest logon policy
Enable insecure guest logon policy

This setting disable security features as SMB Encryption and SMB Signing and it’s not reccomended because you will expose you personal computer to vulnerabilities like man-in-the-middle attacks. Best practice should be to enable, when possible, authenticated access to shared folders on NAS.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.